Re: [OAUTH-WG] third party applications

Denis <denis.ietf@free.fr> Tue, 01 September 2020 14:57 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 194CA3A0B25 for <oauth@ietfa.amsl.com>; Tue, 1 Sep 2020 07:57:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.445
X-Spam-Level:
X-Spam-Status: No, score=-2.445 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.948, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uxotPZhMZuB7 for <oauth@ietfa.amsl.com>; Tue, 1 Sep 2020 07:57:27 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr [80.12.242.129]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E2473A0B03 for <oauth@ietf.org>; Tue, 1 Sep 2020 07:57:26 -0700 (PDT)
Received: from [192.168.1.11] ([90.79.51.120]) by mwinf5d14 with ME id NexP2300N2bcEcA03exPpj; Tue, 01 Sep 2020 16:57:24 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 01 Sep 2020 16:57:24 +0200
X-ME-IP: 90.79.51.120
To: oauth@ietf.org
References: <CAEMK1uY0cSOyyU2t0N9RTOzmMeEpfMsb7K9WfQD=fQdCde9jTQ@mail.gmail.com> <B2AA5092-32BD-499D-9EAF-09AB95E6E9B6@lodderstedt.net> <CAGBSGjoKfR1DpQ47oDPi8xqt_Bq54ywpTvZkH9uJwHRZkDbf-A@mail.gmail.com> <CAEMK1ubU0tD37yz0mKuOOP5n5uQ5pjLdLgY1OJWHGNh-iGcScw@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <dddbfebf-c5d0-6386-3a1d-c38526fdfba3@free.fr>
Date: Tue, 1 Sep 2020 16:57:24 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <CAEMK1ubU0tD37yz0mKuOOP5n5uQ5pjLdLgY1OJWHGNh-iGcScw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------CDED7C781BDC9AD619AE8313"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/u-Jn_2El3pkfQcAoB2_8I0jFR7E>
Subject: Re: [OAUTH-WG] third party applications
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2020 14:57:29 -0000

Hello Dima,

Not exactly.

Change :

    or by allowing the third-party application

into:

or by allowing the application


Denis

> Thank everyone for your feedback.
>
> So the abstract could look like this:
>
> The OAuth 2.1 authorization framework enables a*n**third-party*     application to obtain limited access to an HTTP service, either on
>     behalf of a resource owner by orchestrating an approval interaction
>     between the resource owner and the HTTP service, or by allowing the
>     third-party application to obtain access on its own behalf.  This
>     specification replaces and obsoletes the OAuth 2.0 Authorization
>     Framework described inRFC 6749  <https://tools.ietf.org/html/rfc6749>.
> And an additional section is required to describe scenarios where this 
> framework works well and scenarios when it doesn't.
>
> On Sat, Aug 29, 2020 at 2:37 AM Aaron Parecki <aaron@parecki.com 
> <mailto:aaron@parecki.com>> wrote:
>
>     I agree. While the original motivations for OAuth were to support
>     third-party apps, it's proven to be useful in many other kinds of
>     situations as well, even when it's a "first-party" app but the
>     OAuth server is operated by a different organization than the
>     APIs. I don't think the abstract needs any qualification on this
>     and would only confuse people further. Any clarifications of which
>     situations are appropriate for using OAuth could be explored in a
>     different section in the spec.
>
>     Aaron Parecki
>
>     On Fri, Aug 28, 2020 at 3:02 AM Torsten Lodderstedt
>     <torsten=40lodderstedt.net@dmarc.ietf.org
>     <mailto:40lodderstedt.net@dmarc.ietf.org>> wrote:
>
>         I agree. OAuth works for 3rd as well as 1st parties as well.
>
>         > On 28. Aug 2020, at 05:26, Dima Postnikov
>         <dima@postnikov.net <mailto:dima@postnikov.net>> wrote:
>         >
>         > Hi,
>         >
>         > Can "third-party" term be removed from the specification?
>         >
>         > The standard and associated best practices apply to other
>         applications that act on behalf of a resource owner, too
>         (internal, "first-party" and etc).
>         >
>         > Regards,
>         >
>         > Dima
>         >
>         > The OAuth 2.1 authorization framework enables a third-party
>         >
>         >    application to obtain limited access to an HTTP service,
>         either on
>         >    behalf of a resource owner by orchestrating an approval
>         interaction
>         >    between the resource owner and the HTTP service, or by
>         allowing the
>         >    third-party application to obtain access on its own
>         behalf.  This
>         >    specification replaces and obsoletes the OAuth 2.0
>         Authorization
>         >    Framework described in
>         > RFC 6749.
>         > _______________________________________________
>         > OAuth mailing list
>         > OAuth@ietf.org <mailto:OAuth@ietf.org>
>         > https://www.ietf.org/mailman/listinfo/oauth
>
>         _______________________________________________
>         OAuth mailing list
>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>         https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth